Cloudflare Pages and custom SSL certs
Hey, is it possible to upload your own SSL certificate and use it for a custom domain (not the pages.dev one!) on a Cloudflare Pages site?
27 Replies
Support AI
According to the documentation, it is not possible to use an Advanced Certificate with Cloudflare Pages due to Cloudflare for SaaS's certificate prioritization. However, it does not explicitly state that uploading a custom SSL certificate is not allowed.
But, it does mention that "Advanced Certificates cannot be used with Cloudflare Pages" which might imply that custom certificates are not supported either.
To confirm, I would recommend checking the Cloudflare documentation on custom certificates and Cloudflare Pages to see if there are any specific instructions or restrictions on using custom SSL certificates with Cloudflare Pages.
Source: https://developers.cloudflare.com/pages/platform/known-issues/
Sources
This is an AI generated response, it may not be 100% accurate. Please validate the output. You can ask followups by replying to this message or mentioning me.
I did see that here. https://i.antonio32a.com/VrInO8H9qk.png
Do I need Advanced Certificates to upload my own SSL cert though?
You need business plan or higher to upload your own certificate, of which you can upload one.
https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/
Pages on Custom Domains uses "CF For SaaS", you can see the priority list here: https://developers.cloudflare.com/ssl/reference/certificate-and-hostname-priority/
Adv certs are below, Custom certs are above.
Business is expensive if you just have this use case though, do you really need your own cert?
In this case yes, and I am on the business plan.
well then as long as it matches the hostname, it'd take priority over the pages cf for saas cert
I have quite an unique setup here:
- client has a subdomain that they want us to use e.g.: something.client.com
- I have bound the Cloudflare Pages custom domain to something.example.com
- something.client.com is also added as a custom domain
- something.client.com has a CNAME which points to something.example.com (our domain, which points to the .pages.dev domain)
- client wants to bring their own SSL certificate for something.client.com
Would it be possible do have this setup at all, since something.client.com is not in our zone? Would I need ACM for this?
That wouldn't work unrelated to the certificate, CF Pages/CF For SaaS is basically an allowlist of allowed hosts. You're trying to do
their domain -> your domain -> pages.dev, where your domain is the only thing as a custom domain, so only your domain would work
You could do their domain -> pages.dev, but your custom cert wouldn't apply
I think your only option would be setting up CF for SaaS on your own domain, adding their domain, and having it to a Cloudflare Worker which just proxied the pages.dev.
Worth noting if they use Cloudflare at all, any of their own certificates could override due to Zone specificity
Are you sure about the first part? I have tested second domain -> my domain -> pages.dev and it does work. Second domain is also added as a custom domain (but instead of pointing to pages.dev it points to my domain).
Second domain is however on cloudflare (on a separate account) so maybe CF is automatically "fixing" this and routing it internally?
Just to clarify, this is all without a custom cert.
Also, from what I can tell uploading a custom certificate for CF for SaaS is Enterprise only.
yea, it's not really going through the custom domain effectively, if you look at logs for your domain you won't see anything from it. You're effectively doing the same as domain -> pages.dev, and still need the second domain added
ah
any time I mentioned about custom certs, I mean adding it under ssl/tls -> edge certs -> upload custom ssl cert, not the cf for saas ones.
It's possible it'd still work with the way you're doing it currently, although the docs imply that due to zone specificity, the cf for saas one should be more specific, those docs are a little iffy.. I'll see if I have an easy way to test
Ah, are you saying that by adding my client's subdomain to CF for SaaS it'd consider it as in my zone and then let me actually upload their cert?
I mean even currently without that it, it might work. Certs are not restricted to zones, it's just one of the factors supposedly taken in for priority
I've tried to generate a certificate for a different subdomain (that I own, but on a different CF account), but when uploading it seems to fail. I might be doing something wrong though
ahh ok, yea I get the same thing, I've done some of this before and know a custom cert does take prio over Pages, but not the other domain stuff. Makes sense, they try to push you towards the proper CF For SaaS way of this.
Yea the CF For SaaS way doesn't work either, makes sense with it being an option on itself.
The only way I can think of doing without the ent feature for custom certs is the boring way, which is adding their domain as a Business or higher partial cname zone https://developers.cloudflare.com/dns/zone-setups/partial-setup/, then it would be in your zone. It'd cost you a full Business plan though
Ah I just found that page and was just about to ask about it.
Would this work if the client already uses cloudflare for some other subdomain (or the root)?
no, has to be using a different dns provider. There's some providers like Porkbun or I believe DigitalOcean which use Cloudflare under the hood and also won't work
I have already committed to a business plan on my current domain, so I would have to rebuy business for the subdomain, but it would not be the end of the world (and it would be cheaper than setting up everything manually).
I'll have to check with the client to see what they actually use.
Also slightly offtopic, but in case this setup doesn't work, I'll probably have to spin up a few servers and load balance between them. I'd still like to use CF's DDoS protection, the caching and load balancing, since it'd significantly decrease the amount of bandwidth sent to my servers. I'm assuming I'd also have to add the client's subdomain as a partial zone, right?
I'm pretty sure some other vendors (e.g. ddos guard) just give you a v4 address to add as an A record (which is what initially my client wanted), but from what I can tell this isn't available with CF.
CF For SaaS -> Apex Proxying can do that, Enterprise only though
dang
https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/apex-proxying/
Cloudflare assigns a set of IP prefixes - cost associated, reach out to your account team - to your account (or uses your own if you have BYOIP). This means that customers can create a standard A record to route traffic to your domain, which can support the domain apex.
Alright, in that case I'll give partial zones a try if it'll work with them. Thanks for all the help!
Sure, and CF did eventually commit last week to bring down "most" features to non-enterprise: https://blog.cloudflare.com/enterprise-grade-features-for-all/, so it's very possible we'll see some of those locked things not be so restrictive in the future
I'll keep an eye on it, but unfortunately this is pretty time sensitive so I probably won't be able to use them.
Big doubt. Apex proxying more or less requires dedicated IPs.
Even just custom ssl for cf for saas would be nice and potentially fix this without having to partial zone it
I mean, they talked about bringing Magic Transit down even, and specific non-ent features like Spectrum already do give dedicated IPs. eh, it'd probably be an expensive addon if nothing else lol. It'll be cool to see what they eventually do, this is super early on